I have an android phone which, like many others, has quickly become unsupported and is not receiving any updates. At the same time there are publicly available exploits for privilege-escalation vulnerabilities, which are mainly used for legitimate rooting the phone, however as far as I can see there is nothing stopping an attacker from using these exploits to completely bypass the android permissions system. This is already done by the applications used for easy rooting of the device - they do not require any special permissions and are able to execute the exploits that give them full access to the system.

It seems like the only thing stopping a normal looking application in the market from bypassing all android restrictions and taking control of a device (which does not receive updates) is hoping that Google can catch all such applications and ban them from the market. This does not seem realistic to me. The other option is to run a custom ROM which often receives updates, assuming you trust the ROM developers and assuming that the ROM is fully compatible with the particular device.

So, the questions are: Is this accurate, or am I missing something? And what is the best solution for somebody who would rather not deal with custom ROMs?

3 Answers
3

Yes, this is accurate. If your version of the Android OS has known privilege escalation vulnerabilities, there is nothing stopping a rogue application from exploiting a privilege escalation vulnerability and thus escaping the sandbox (i.e., gaining unrestricted access to your phone).

This absence of security upgrades is a shortcoming of the Android ecosystem. The ecosystem is reliant upon handset manufacturers and carriers to continue providing security upgrades, but many handset manufacturers/carriers have declined to do so, for economic reasons. They treat the phones as disposable, and don't always show loyalty to older customers. Once the phone is a few years old, they stop providing upgrades and focus on the latest shiny models that are being sold, prioritizing selling new handsets over supporting past customers. This is not very eco-friendly and not particularly customer-friendly. I think it is unfortunate, but it appears to be a fact of life. And so it goes.

Update (12/26/2012): Ars Technica has a nice overview of the situation with Android updates, a year later. Unfortunately, it's not pretty: things haven't gotten any better, and many Android phones are not receiving updates. The security risks remain.

some valid points... I personally go the custom rom route, you mention having to trust the developer, this is true.... Just like every other open source, community driven project. And for that matter Google, Apple, Microsoft, etc. I find it much easy to trust an open project vs closed source anything. These are choices we have to make with all tech platforms. FWIW, Cyanogen actually works for Google now, so they apparently trust him. (I'm sure you've heard of Cyanogenmod, it's what I and most others use for rom of choice)

not a lot of options at the OS level to get updates if the carriers aren't going to push them, without going rooted/custom.

As for apps in the marketplace, you just want to keep some common sense, just as you would finding and installing apps for your computer. Check out an app's ratings, feedback and download count. These are usually a good indicator.